syft icon indicating copy to clipboard operation
syft copied to clipboard
verified publisher icon anchore

Get licenses for NuGet packages

Open fg-j opened this issue 3 years ago • 8 comments

What would you like to be added: #726 brought initial support for generating SBOMs for NuGet packages 🎉 . One significant gap in the metadata in those SBOMs is license information. It'd be awesome if licenses for NuGet packages were included.

Why is this needed: License information is a key value proposition for compliance-minded users who are building .NET apps with NuGet dependencies.

Additional context:

The file that project.assets.json that Syft scans for SBOM info doesn't include license information, but I wonder if it's possible to get it from somewhere else.

Here's a snippet of a SPDX SBOM generated with syft for a NuGet package:

...
  {
   "SPDXID": "SPDXRef-99c6488b6206ecc1",
   "downloadLocation": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceLocator": "cpe:2.3:a:Humanizer:Humanizer:2.14.1:*:*:*:*:*:*:*",
     "referenceType": "cpe23Type"
    },
    {
     "referenceCategory": "PACKAGE_MANAGER",
     "referenceLocator": "pkg:dotnet/[email protected]",
     "referenceType": "purl"
    }
   ],
   "filesAnalyzed": false,
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "name": "Humanizer",
   "sourceInfo": "acquired package info from dotnet project assets file: NugetBenchmarking.deps.json",
   "versionInfo": "2.14.1"
  },
...

the corresponding NuGet package, Humanizer.Core uses the MIT license.

fg-j avatar Sep 23 '22 14:09 fg-j

Thanks so much for the issue @fg-j!

I also added the good first issue label since the write-up you did was so good.

If we have the bandwidth in the coming week/s we'll try and get this in, but also anyone who comes across this issue consider this fair game to attempt as a contribution.

Feel free to tag me in a draft PR if you do and I can always help with testing or cleanup!

spiffcs avatar Sep 30 '22 16:09 spiffcs

I have the exact same issue but with Rust Crates. Here is an example output of the Toml files:

[package]
edition = "2018"
name = "actix-server"
version = "2.1.1"
authors = ["Nikolay Kim <[email protected]>", "fakeshadow <[email protected]>", "Rob Ede <[email protected]>", "Ali MJ Al-Nasrawy <[email protected]>"]
description = "General purpose TCP server built for the Actix ecosystem"
homepage = "https://actix.rs"
keywords = ["network", "tcp", "server", "framework", "async"]
categories = ["network-programming", "asynchronous"]
license = "MIT OR Apache-2.0"

They do include the license. Is it planned to also output them for Rust packages?

vanthome avatar Jan 06 '23 16:01 vanthome

Really interested in seeing license info added for NuGet packages as well. Our organization is evaluating syft to integrate into our CI/CD processes to generate SBOM's that can be imported into Dependency-Track for analysis. Having this license data for NuGet packages would be 😎👌

jeremytbrun avatar Oct 27 '23 13:10 jeremytbrun

I'll give it a shot, if I may... https://github.com/HeyeOpenSource/syft

HeyeOpenSource avatar Oct 01 '24 14:10 HeyeOpenSource

I'd like to know when @HeyeOpenSource's PR will be merged. It seems latest comment was 2nd of november. We are eagerly awaiting this in Syft. For now we'll fallback on dotnet cyclonedx. But I'd rather like Syft. Thanks!

timg83 avatar Jan 02 '25 15:01 timg83

The only thing holding up getting the PR merged is that it requires shelling out to the dotnet CLI. If there was a way to implement this without requiring shelling out here, it would probably be much closer to getting merged, but it sounds like it's difficult to get the same information by just reading files on the filesystem.

Before we can merge this, we need to agree as a team how to identify and enable/disable enrichment that requires certain binaries to be available, we have avoided shelling out to tools intentionally to this point (with one notable exception of cosign that has a lot of history I won't get into).

kzantow avatar Jan 02 '25 16:01 kzantow

Thank you for the explanation @kzantow.

NuGet config can be available on 3 locations:

Project-specific nuget.config: A nuget.config file located in the current directory or any parent directory of the project. User-specific configuration: This is typically located in the user's profile directory (e.g., ~/.nuget/NuGet/NuGet.Config on Linux/Mac or %AppData%\NuGet\NuGet.Config on Windows). Global configuration: Located in the .nuget folder or as configured during the installation of NuGet tooling.

There you should be able to get the sources of the nuget packages in XML format without the use of the dotnet cli.

I'm no go developer so for me it would be difficult to add this to Syft unfortunately, else I would be glad to do it! I hope someone else is more capable than me to do this.

Thanks for the work in Syft though!

timg83 avatar Jan 03 '25 07:01 timg83

Unfortunately my employer has asked me not to put any more work into this. But since I just cannot let it rest I'll switch over to my private github account: naoriel

I'll open a pull request without the usage of the dotnet-tool a.s.a.p.

@timg83 Thanks for the information. I'll see whether I can incorporate that into a later pull request.

HeyeOpenSource avatar Jun 01 '25 20:06 HeyeOpenSource